Location/things aware cloud services delivery solution

ABSTRACT

Described embodiments provide systems and methods for policy-based authentication, where the policy may designate locations and/or forms of proof of locations, for use in authentication. Some embodiments include or utilize a database storing authentication policies. In an example system, an authentication server in communication with the database is configured to receive a request from a device needing authentication. The request may include a credential. The authentication server is configured to retrieve, from the database storing authentication policies, an authentication policy corresponding to the device, the retrieved authentication policy specifying a location parameter. The authentication server is configured to receive location data from the device and resolve the authentication request using the credential and the received location data pursuant to the retrieved authentication policy.

BACKGROUND

Network accessible computing systems, e.g., servers in a data center,provide various services over a network (e.g., the Internet). Thesesystems are sometimes referred to as “cloud based” or “in the cloud” inreference to their off-premises location within the network (which isoften depicted in figures as a cloud). Cloud-based services may behosted on servers owned or managed by a third-party, e.g., under atenancy or co-tenancy arrangement. The third-party providing thehardware (or time on shared hardware) may be referred to as acloud-services provider. Cloud-based services provide a variety ofconveniences, including the ability to quickly provision new services,the ability to provide services and functionality to network-connectedcustomers in a variety of contexts, and the ability to seamlesslymigrate data between network-connected devices.

Computer systems are increasingly reliant on cloud-based services. Thishas allowed for simplification of devices, reducing size and cost.Special-purpose devices are being developed that rely heavily onnetwork-based resources, and extend the network to support a variety ofnew functionality. The wide variety of network-reliant devices(“things”) is sometimes referred to as “the Internet of Things,” or“IoT.”

The cloud provides significant flexibility, but also provides uniquesecurity concerns. Network-connected devices may be able to accesscloud-based services from anywhere with a network connection. Malicioushackers may be able to exploit security flaws and vulnerabilities toelevate privileges, repurpose systems, steal data, deny service, and soforth. It is therefore important to the functionality of these devicesto maintain adequate security measures.

Multi-factor authentication mechanisms can enhance security. A typicalmulti-factor authentication mechanism uses a credential plus a secondaryinformation element such as a pin code or out-of-band challengeresponse. These mechanisms can be inefficient when they require users tomanually input more information, and may be ineffective forauthenticating IoT devices.

These and other technical problems are addressed by the subject matterdescribed.

SUMMARY

This Summary is provided to introduce a selection of concepts in asimplified form that are further described below in the DetailedDescription. This Summary is not intended to identify key features oressential features, nor is it intended to limit the scope of the claimsincluded herewith.

Described embodiments provide systems and methods for policy-basedauthentication, where the policy may designate locations and/or forms ofproof of locations, for use in authentication. Some embodiments includeor utilize a database storing authentication policies. In an examplesystem, an authentication server in communication with the database isconfigured to receive a request from a device needing authentication.The request may include a credential. The authentication server isconfigured to retrieve, from the database storing authenticationpolicies, an authentication policy corresponding to the device, theretrieved authentication policy specifying a location parameter. Theauthentication server is configured to receive location data from thedevice and resolve the authentication request using the credential andthe received location data pursuant to the retrieved authenticationpolicy.

In at least one aspect, described is a method for authentication. Themethod includes receiving, by a server in a first network, anauthentication request from a device in a second network, theauthentication request including a first credential. The method includesretrieving, by the server, from a database storing authenticationpolicies, an authentication policy corresponding to the device, theretrieved authentication policy specifying a location parameter. Themethod includes receiving, by the server, location data from the device.The method includes resolving the authentication request using the firstcredential and the received location data pursuant to the retrievedauthentication policy.

In at least one aspect, described is a system for authentication. Thesystem includes a database storing authentication policies. The systemincludes an authentication server in communication with the database,the authentication server situated in a first network. Theauthentication server includes at least one processor and is configuredto receive an authentication request from a device in a second network,the authentication request including a first credential. Theauthentication server is configured to retrieve, from the databasestoring authentication policies, an authentication policy correspondingto the device, the retrieved authentication policy specifying a locationparameter. The authentication server is configured to receive locationdata from the device and resolve the authentication request using thefirst credential and the received location data pursuant to theretrieved authentication policy.

BRIEF DESCRIPTION OF THE DRAWING FIGURES

Objects, aspects, features, and advantages of embodiments disclosedherein will become more fully apparent from the following detaileddescription, the appended claims, and the accompanying drawing figuresin which like reference numerals identify similar or identical elements.Reference numerals that are introduced in the specification inassociation with a drawing figure may be repeated in one or moresubsequent figures without additional description in the specificationin order to provide context for other features, and not every elementmay be labeled in every figure. The drawing figures are not necessarilyto scale, emphasis instead being placed upon illustrating embodiments,principles and concepts. The drawings are not intended to limit thescope of the claims included herewith.

FIG. 1A is a block diagram of an illustrative network environment, inaccordance with an illustrative embodiment;

FIG. 1B is a block diagram of an example computing device, in accordancewith an illustrative embodiment;

FIG. 1C is a block diagram of an example computing device incommunication with mid-range or short-range radio-based devices, inaccordance with an illustrative embodiment;

FIG. 1D is a block diagram of an example computing device receivinglocation signals from satellites and/or ascertaining location frommid-range radio-based devices, in accordance with an illustrativeembodiment;

FIG. 2A and FIG. 2B are ladder diagrams for data exchanges used inauthenticating a request;

FIG. 3A is a flowchart for an example method of authenticating a requestbased on a location without requesting location data;

FIG. 3B is a flowchart for an example method of authenticating a requestbased on a location with at least one request for location data;

FIG. 4 is a flowchart for an example method of authenticating a requestbased on a location and determining whether an authenticated request isauthorized; and

FIG. 5 is a flowchart for an example method of submitting a request forauthentication.

DETAILED DESCRIPTION

The subject matter described covers topics that, among other things,enables a request to be authenticated using a location-basedmulti-factor mechanism. Authentication is a determination that a requestattributing its origin to a party actually originated with theattributed party. That is, that the request is authentic. This may be acondition precedent for determining whether the party has the requisiteauthority to complete the request. Authentication is particularlyhelpful in preventing malicious attacks that falsify (or “spoof”)request origination. In some embodiments, the location-based factor isgeographically dependent, e.g., requiring the request to provideevidence or proof that the request originated at a particular geographiclocation or within a geographic region. This is, in some respects, aform of “geo fence.” In some embodiments, the location-based factor isproximity dependent, e.g., requiring the request to provide evidence orproof that the request originated at a device that is near to (or inproximity with) another particular device. In some embodiments, thelocation-based multi-factor mechanism uses a device-dependent policy,such that the mechanism is flexible within the capabilities of thedevice generating the request to be authenticated. In some embodiments,the authentication policy includes a hierarchy, e.g., requiring a deviceto provide satellite-based location data unless the device is inside(and unable to receive satellite signals) and falling back to asecondary form of location evidence such as being on a networkassociated with the correct location or having short-range proximity toa radio beacon associated with the correct location.

FIG. 1A depicts an illustrative network environment 100, in accordancewith an illustrative embodiment. The network environment 100 includes aprovider network 104 _(a), a production network 104 _(b), and one ormore other networks such as a transit network 104 _(c) (the providernetwork 104 _(a), the production network 104 _(b), and the transitnetwork 104 _(c) are referred to generally as networks 104). Within thenetwork environment 100, client devices 120 communicate with servers150, and the servers 150 provide one or more network services to theclient devices 120. As shown in FIG. 1A, servers 150 are situated in theproduction network 104 _(b). The client devices 120 communicate with theservers 150 via the provider network 104 _(a) which may pass datadirectly to the production network 104 _(b) or pass data through one ormore intermediary networks, e.g., through the transit network 104 _(c).Network communications between the client devices 120 and the servers150 flow through network devices 144 such as switches, routers, hubs,filters, firewalls, gateways, and so forth. For example, the providernetwork 104 _(a) includes an access point 130 that directs traffic fromclient devices 120 to the servers 150. As shown in FIG. 1A, theproduction network 104 _(b) includes an authentication server 160responsible for authenticating requests to the one or more servers 150.Although shown as an independent server, in some implementations thefunctions or features of the authentication server 160 are incorporatedinto one or more servers 150 providing other additional services. Theauthentication server 160 authenticates incoming requests, e.g.,requests from the clients 120, using data stored in a data storagedevices 166. The stored data may include, for example, authenticationpolicies requiring client devices 120 to be within or near specifiedlocations as part of the authentication process. As shown in FIG. 1A,the authentication server 160 may enforce these policies based onlocation data from the client devices 120 such as, for example, locationdetermined based on satellites 170 or a short-range radio beacon 180. Insome embodiments, device location is determined based on a location ofthe access point 130 or a radio receiver 134 used for accessing theprovider network 104 _(a). The data storage 166 stores theseauthentication policies, e.g., using a local database system, flat filesystem, or other data organization scheme.

Suitable examples of client devices 120 include various processor-baseddevices that execute instructions for interactions with servers 150 viaa network 104. Some example client devices 120 are “Internet of Things”(“IoT”) devices. For example, some example client devices 120 arepassive monitoring devices such as thermometers, hydrometers,barometers, smoke detectors, light sensors, and the like. Some exampleclient devices 120 receive input from a user and/or present output tothe user. For example, the client device 120 may be any kind ofcomputing device, including, e.g., a desktop computer, a laptop ornotepad computer, a thin client, a mobile device such as a tablet orelectronic “pad,” a smart phone or data phone, a “smart” watch or otherwearable, a gaming system, an Internet Radio, or any other devicecapable of the functions described herein. The client devices 120 arecapable of exchanging information with other computing devices via anetwork 104 (e.g., via the provider network 104 _(a)). For example, aclient device 120 may exchange information over the network 104 usingprotocols in accordance with the Open Systems Interconnection (“OSI”)layers, e.g., using an OSI layer-4 transport protocol such as the UserDatagram Protocol (“UDP”) or the Transmission Control Protocol (“TCP”),layered over an OSI layer-3 network protocol such as Internet Protocol(“IP”), e.g., IPv4 or IPv6. In some embodiments, the client device 120supports network communication using Secure Socket Layer (“SSL”) orTransport Layer Security (“TLS”), which encrypts communications layeredover a reliable transport protocol (such as TCP). In some embodiments,the client device 120 is a thin-client, or functions as a thin-client,executing a thin-client protocol or remote-display protocol such as theIndependent Computing Architecture (“ICA”) protocol created by CitrixSystems, Inc. of Fort Lauderdale, Fla. The ICA protocol allowspresentation at the client device 120 of software executing remotely(e.g., at a server 150), as though the remotely executed software wereexecuted locally on the client device 120. In some embodiments, one ormore of the servers 150 with which the client devices 120 communicatesupports a custom instruction set, e.g., an application programminginterface (“API”), and a custom application executed on the clientdevice 120 implements the API. An application can implement an APIusing, for example, a library such as a dynamic link library (“DLL”) ora software development kit (“SDK”) provided to the application'sdeveloper.

In some embodiments, the client device 120 includes one or more hardwareelements for receiving location signals from satellites 170 or otherlong-range transmitters. Examples of satellite-based location services(also known as global navigation satellite systems, “GNSS”) include theU.S. Global Positioning System (“GPS”), the Russian Global NavigationSatellite System (“GLONASS”), and the European Union's Galileo system. Aclient device 120 equipped with a GNSS receiver may detect signals frommultiple satellites 170 and use the signals to determine a location,e.g., a latitude and longitude coordinate pair, for the client device120. Typically, GNSS requires line of sight to the satellites 170 andworks best outside. These systems may be less reliable, or unreliable,in locations where visibility to the satellites 170 is obstructed, e.g.,inside.

In some embodiments, the client device 120 includes one or more hardwareelements for near-field or short-range radio communication. Theseelements may be used to communicate with other devices in closeproximity (that is, within range for a given radio communicationprotocol). Examples of near-field or short-range radio communicationprotocols include BLUETOOTH, ANT+, radio frequency identification(“RFID”), and near field communication (“NFC”). In some instances, aclient device 120 may exchange data with a special purpose near-field orshort-range radio beacon 180. Examples of a suitable beacon 180 include,but are not limited to, an NFC tag or RFID tag, an RFID reader, APPLEiBEACON, GOOGLE EDDYSTONE, QUALCOMM GIMBAL, and PHILLIPS Visual LightCommunications (“VLC”).

In some embodiments, the client device 120 includes one or more hardwareelements for facilitating data input and data presentation. In someembodiments, the client device 120 is implemented using special purposelogic circuitry, e.g., an application specific integrated circuit(“ASIC”). In some embodiments, the client device 120 is implementedusing a system on a chip (“SoC”) semiconductor device that includes atleast one processor (or microprocessor) core. In some embodiments, theclient device 120 is implemented using a general purpose computingprocessor. FIG. 1B, described in more detail below, illustrates acomputing device 101 that, in some configurations, is suitable for useas a client device 120.

The networks 104 _(a), 104 _(b), and 104 _(c) (referred to generally asa network 104) link devices for communication. In some embodiments, dataflows through the network 104 as a flow of data packets in accordancewith the OSI layers, e.g., as a TCP or ICA flow. An illustrative network104 is the Internet; however, other networks may be used. Each network104 _(a), 104 _(b), and 104 _(c) may be an autonomous system (“AS”),i.e., a network that is operated under a consistent unified routingpolicy (or at least appears to from outside the AS network) and isgenerally managed by a single administrative entity (e.g., a systemoperator, administrator, or administrative group). A network 104 may becomposed of multiple connected sub-networks or AS networks. Networks mayinclude one or more network devices 144 propagating data through thenetwork. Networks meet at boundary nodes, e.g., gateway nodes, routers,or multi-homed computing devices. A network 104 may include wired links,optical links, and/or radio links. A network 104 may include a telephonynetwork, including, for example, a wireless telephony networkimplementing a wireless communication protocol such as the Global Systemfor Mobile Communications (“GSM”), Code Division Multiple Access(“CDMA”), Time Division Synchronous Code Division Multiple Access(“TD-SCDMA”), Long-Term Evolution (“LTE”), or any other such protocol. Awireless network (such as a Wi-Fi network or a wireless telephonynetwork) may use one or more radio receivers 134 for access to thenetwork. The network 104 may be public, private, or a combination ofpublic and private networks. Each of the networks 104 _(a), 104 _(b),and 104 _(c) may be any type and/or form of data network and/orcommunication network.

The network devices 144 are network nodes that forward network data(e.g., data packets) between other network nodes. Suitable examples ofnetwork devices 144 include switches, routers, hubs, multi-homedcomputing devices, or any other device used for network communications.A network device 144 may include two or more network interfaces (orphysical “ports,” which should not be confused with transport protocolports) and logic circuitry for identifying, for particular data, anegress interface connected to another device that will move theparticular data towards a destination. In some embodiments, the networkdevices 144 direct traffic based on routing configuration data toforward data towards traffic destinations. In some embodiments, thenetwork devices 144 forward data according to routing tables. In someembodiments, the network devices 144 forward data according to aconfiguration, e.g., a configuration set by a software defined network(“SDN”) controller. In some embodiments, a network device 144 includes acontent-addressable memory (“CAM”) or ternary content-addressable memory(“TCAM”), used in identifying egress interfaces for routing data. Insome embodiments, a network device 144 implements additional networkfunctionality, or directs traffic through additional network nodesproviding network functionality. For example, a network device 144 maypass traffic through a firewall, a network address translator (“NAT”), anetwork filter, or some other node providing network functionality.

One or more servers 150 may be logically grouped (e.g., as a serverfarm), and may either be geographically co-located (e.g., on premises)or geographically dispersed (e.g., cloud based) from client devices 120and/or other servers 150. In some embodiments, a server 150 or group ofservers 150 executes one or more applications on behalf of one or moreof client devices 120 (e.g., as an application server). In someembodiments, the servers 150 provide functionality such as, but notlimited to, file server, gateway server, proxy server, or other similarserver functions. In some embodiments, client devices 120 may seekaccess to hosted applications on servers 150. In some embodiments, anetwork device 144 or a server 150 may provide load balancing acrossmultiple servers 150 to process requests from client devices 120, act asa proxy or access server to provide access to the one or more servers150, provide security and/or act as a firewall between a client 120 anda server 150, provide Domain Name Service (“DNS”) resolution, provideone or more virtual servers or virtual internet protocol servers, and/orprovide a secure virtual private network (“VPN”) connection from aclient 120 to a server 150, such as a secure socket layer (“SSL”) VPNconnection and/or provide encryption and decryption operations. Oneparticular network function is authentication, which is provided by anauthentication server 160. In some embodiments, the authenticationserver 160 is a stand-alone device. In some embodiments, the functionsand features of the authentication server 160 are incorporated intoother servers 150.

In described embodiments, client devices 120, network devices 144,servers 150 (including the authentication server 160), and other devicesshown in FIG. 1A may be deployed as (or executed on) any type and formof computing device, such as any desktop computer, laptop computer, ormobile device capable of communication over at least one network 104 andperforming the operations described herein. For example, the clientdevices 120, servers 150, and other devices may each correspond to onecomputer, a plurality of computers, or a network of distributedcomputers such as the computing device 101 shown in FIG. 1B.

As shown in FIG. 1B, a computing device 101 may include one or moreprocessors 103, volatile memory 122 (e.g., RAM), non-volatile memory128, user interface (UI) 123, one or more communications interfaces 118(e.g., a network interface card (“NIC”) and/or a radio transmitter,e.g., for Wi-Fi or NFC communications), and a communication bus 105. Theuser interface 123 may include hardware for a graphical user interface(“GUI”) 124 (e.g., a touchscreen, a display, etc.), one or moreinput/output (“I/O”) devices 126 (e.g., a mouse, a keyboard, a speaker,etc.). Non-volatile memory 128 stores an operating system 115, one ormore applications 116, and data 117 such that, for example, computerinstructions of operating system 115 and/or applications 116 areexecuted by processor(s) 103 out of volatile memory 122. Data 117 may beentered using an input device of GUI 124 or received from I/O device(s)126. Various elements of the computing device 101 may communicate viacommunication bus 105. The computing device 101 as shown in FIG. 1B isshown merely as an example, as client devices 120, servers 150(including the authentication server 160), and other network devices 144may be implemented by any computing or processing environment and withany type of machine or set of machines that may have suitable hardwareand/or software capable of operating as described herein.

The processor(s) 103 may be implemented by one or more programmableprocessors executing one or more computer programs to perform thefunctions of the system. As used herein, the term “processor” describesan electronic circuit that performs a function, an operation, or asequence of operations. The function, operation, or sequence ofoperations may be hard coded into the electronic circuit or soft codedby way of instructions held in a memory device. A “processor” mayperform the function, operation, or sequence of operations using digitalvalues or using analog signals. In some embodiments, the “processor” canbe embodied in one or more of an application specific integrated circuit(“ASIC”), microprocessor, digital signal processor, microcontroller,field programmable gate array (“FPGA”), programmable logic arrays(“PLA”), multi-core processor, or general-purpose computer processorwith associated memory. The “processor” may be analog, digital, ormixed-signal. In some embodiments, the “processor” may be one or morephysical processors or one or more “virtual” (e.g., remotely located orcloud-based) processors.

The non-volatile memory 128 may include one or more of a hard disk drive(“HDD”), solid state drive (“SSD”) such as a Flash drive or other solidstate storage media, or other magnetic, optical, circuit, or hybrid-typestorage media. In some embodiments, the non-volatile memory 128 includesread-only memory (“ROM”). In some embodiments, storage may bevirtualized, e.g., using one or more virtual storage volumes, such as acloud storage, or a combination of such physical storage volumes andvirtual storage volumes.

The communications interface 118 may include one or more interfaces toenable the computing device 101 to access a computer network 104 such asa LAN, a WAN, or the Internet through a variety of wired and/or wirelessor cellular connections. In some embodiments, the communicationsinterface 118 includes one or more network connection points (ports) andan interface controller. Network connection points may be wiredconnection points (e.g., Ethernet ports) or wireless (e.g., radiocircuitry for Wi-Fi or mobile network communications).

FIG. 1C is a block diagram of an example computing device 101 incommunication with mid-range or short-range radio-based devices, inaccordance with an illustrative embodiment. The communications interface118 may include a short-range radio transmitter and receiver, e.g., forcommunication with an RFID reader or NFC tag 188 or a BLUETOOTH beacon180. Some BLUETOOTH beacons 180 use the BLUETOOTH LOW ENERGY (“BLE”)protocol. In some embodiments, the computing device 101 may use theshort proximity requirements of these technologies to determine that thecomputing device 101 is in relatively close proximity to particulardevices (e.g., an RFID or NFC tag 188 or a BLUETOOTH beacon 180). Insome embodiments, the computing device 101 may use a network antennae134 to determine that the computing device 101 is in relatively closeproximity to a location corresponding to the network antennae 134. Forexample, the network antennae 134 may be an access point or base stationfor a mobile telephony system (e.g., for a particular cellular telephonecommunication network).

FIG. 1D is a block diagram of an example computing device 101 receivinglocation signals from satellites 170 and/or ascertaining location frommid-range radio-based devices (represented by antennae 134), inaccordance with an illustrative embodiment. In some embodiments, theclient device 120 includes one or more location receiver(s) 176 forreceiving location signals from satellites 170 or other long-rangetransmitters (e.g., the aforementioned GNSS such as GPS, GLONASS, orGalileo). A computing device 101 equipped with a location receiver 176may detect signals from multiple satellites 170 and use the signals todetermine a location, e.g., a latitude and longitude coordinate pair,for the computing device 101. Typically, GNSS requires line of sight tothe satellites 170 and works best outside. These systems may be lessreliable, or unreliable, in locations where visibility to the satellites170 is obstructed, e.g., inside. In some embodiments, the computingdevice 101 may use a network antennae 134 to determine that thecomputing device 101 is in relatively close proximity to a locationcorresponding to the network antennae 134. For example, the networkantennae 134 may be an access point or base station for a Wi-Fi systemwithin a building or complex.

As described in more detail below, a client device 120 may submit arequest to a server 150 that requires authentication. An authenticationserver 160 (which may be the same server 150 or another designatedauthentication server 160) authenticates the provenance of the requestprior to determining whether the server 150 should authorize or satisfythe request. In some instances, a request may be part of a session madeof a series of requests or interactions. An initial request of thesession (either the first request, or an early request in the session)may be a request to authenticate a source of the requests. For example,a client device 120 may initiate a session with a handshake protocolfollowed by a log-in request. The log-in request may includecredentials, e.g., an account username or account identifier and secretknowledge specific to the account such as a pin code, passphrase, orpassword. After authentication, the session may be referred to as anauthenticated session. Requests received after authentication, from thesame source, may be referred to as authenticated requests. A session maybe conducted, for example, in a secure communication protocol such thatall requests may be reliably accepted as originating from the samesource.

In order to authenticate the authentication request, the authenticationserver 160 may require that the request originate from a particularlocation. For example, requests from an IoT device installed in aparticular building should be expected to originate from the particularbuilding. In some embodiments, the authentication server 160 usesenforces location requirements based on a policy. For example, theauthentication server 160 may require location to be specified in termsof latitude and longitude (e.g., from a GNSS such as GPS). As anotherexample, the authentication server 160 may infer the location based on anetwork address for the request (e.g., using an IP address togeolocation database). In some examples, the authentication server 160may be configured with location data for network access points 130(e.g., Wi-Fi “hot spots” or radio antenna 134) and may require that therequesting device be communicating via a particular access point. Insome embodiments, the authentication server 160 may have record of alocation for a device such as a beacon 180 or short-range tag 188 andmay require the device 120 submitting the authentication request to bewithin close proximity to the known-location device, where closeproximity is sufficiently close enough to communicate with theknown-location device using its particular short-range communicationprotocol. The policy may require location evidence using one or moreforms of location evidence. The policy may require multiple forms oflocation evidence, e.g., IP address based geolocation andsatellite-based latitude and longitude within a preset zone (or adistance from a fixed point). The following table (TABLE 1) lists someexamples of location evidence that may be used:

TABLE 1 Evidence Type Description Requirement Location based When clienthas location described Client should have a on GNSS inlatitude/longitude. Location is GPS receiver such as GPS within certaingeographic range. Location based When client's location is estimatedClient should have on IP Address from IP address. Location is within anIP address which certain geographic range. directly or routed to theinternet BLUETOOTH When client detects BLUETOOTH Client should have a orBLE beacon Bluetooth receiver Wireless When client connects to accessClient should access (Mobile point based on the name of access towireless network Telephony or point Wi-Fi) RFID When client is inproximity to a Client should have device which can be detected by anRFID receiver RFID NFC When client is in proximity to a Client shouldhave a device which can be detected by NFC receiver NFC

In some embodiments, the client device 120 is expected to know thelocation requirements without receiving a request. For example, an IoTdevice may be hardcoded to provide location data. In some embodiments,the client device 120 is provided with a specific location evidencerequest. For example, a more general-purpose device such as a smartphone may need to be informed of authentication policy requirements.FIG. 2A is a ladder diagram for a data exchange 200 used inauthenticating a request without a location request. FIG. 2B is a ladderdiagram for a similar data exchange 220 used in authenticating a requestwith a location request.

Referring first to FIG. 2A, the depicted ladder diagram illustrates adata exchange 200 in which a client device 120 submits an authenticationrequest 210 to an authentication server 160 along with location evidence216. In some embodiments, the authentication request 210 includes thelocation evidence 216. The authentication server 160 performs a policylook-up 230 from data storage 166 and retrieves policy data 240. Theauthentication server 160 then authenticates 270 the request and returnsauthentication result 290 to the client device 120. For example, theauthentication server 160 may notify the client device 120 that theauthentication request 210 has been accepted or rejected. FIG. 3A,described in more detail below, is a flowchart for an example method 300of authenticating a request based on a location without requestinglocation data, e.g., as in the data exchange 200.

Referring to FIG. 2B, the depicted ladder diagram illustrates a dataexchange 220 in which a client device 120 submits an authenticationrequest 210 to an authentication server 160 without sufficient locationevidence 216. In some embodiments, the authentication request 210includes no location evidence at all, or includes insufficient evidencefor a particular location authentication policy. The authenticationserver 160 performs a policy look-up 230 from data storage 166 andretrieves policy data 240. The authentication server 160 then sends alocation request 250 to the client device 120, soliciting locationevidence from the client device 120. The client device 120 return therequested location evidence 260 and the authentication server 160 thenauthenticates 280 the authentication request and returns authenticationresult 290 to the client device 120. For example, the authenticationserver 160 may notify the client device 120 that the authenticationrequest 210 has been accepted or rejected. FIG. 3B, described in moredetail below, is a flowchart for an example method 320 of authenticatinga request based on a location with at least one request for locationdata, e.g., as in the data exchange 220.

FIG. 3A is a flowchart for an example method 300 of authenticating arequest based on a location without requesting location data. Asdescribed above in reference to FIG. 2A, in some embodiments, the clientdevice 120 is expected to know the location requirements withoutreceiving a request. An authentication server 160 may receive anauthentication request from such a device and process the request asshown in FIG. 3A. In brief overview, at stage 310, the authenticationserver 160 receives the authentication request from the device via anetwork, the authentication request including at least a credential. Atstage 316, the authentication server 160 receives location data from thedevice via the network. The location data may be, for example, includedin the authentication request received at stage 310. At stage 330, theauthentication server 160 retrieves an authentication policycorresponding to the device, the authentication policy specifying alocation parameter. The authentication server 160 may retrieve theauthentication policy from a data storage system 166, as shown in FIG.2A. The authentication server 160 may retrieve the authentication policyfrom a local cache. At stage 370, the authentication server 160 resolvesthe authentication request using the credential and the location datapursuant to the authentication policy. At stage 390, the authenticationserver 160 returns results of the authentication resolution, e.g.,authenticating or rejecting the request received in stage 310.

Referring to FIG. 3A in more detail, in the example method 300, anauthentication server 160 receives an authentication request from adevice at stage 310. The device may be, for example, a client device 120as depicted in FIG. 1A. The request from the device may be, for example,part of the exchange 200 depicted in FIG. 2A. The device may beparticipating in (or situated in) a first network (e.g., the providernetwork 104 _(a) depicted in FIG. 1A) and the authentication server 160may be participating in (or situated in) a second network (e.g., theproduction network 104 _(b) depicted in FIG. 1A). The request may be aresource request (e.g., a request for a uniform resource locator(“URL”)), may be a log-in request, may be a session initiation request,may be part of a custom protocol or standard protocol, may be part of aprotocol handshake, may be an explicit request for authentication, maybe an implicit request for authentication (e.g., a request that, inorder to be processed, must first be authenticated), or any other typeof request that may be used to trigger an authentication check. Forexample, in some embodiments, the request is a Hypertext TransferProtocol (“HTTP”) or HTTPS request, e.g., a GET or a POST request. Insome embodiments, the request is received directly by the authenticationserver 160. In some embodiments, the request is first received byanother server 150 (e.g., a web server) that outsources authenticationto the authentication server 160.

The request may include origination information such as a deviceidentifier (e.g., a media access control (“MAC”) identifier), a networkaddress (e.g., an IPv4 or IPv6 address), a software name, a softwareversion (e.g., a browser version), and so forth. The request may includeinformation identifying the type of device. For example, the request mayexplicitly state that the origination device is a particular make andmodel. In some embodiments, the authentication server 160 may determinethe type of the device from the request, e.g., based on the MACidentifier, the software version, or other characteristics of therequest.

The request includes a credential for authentication. In someembodiments, the credential includes an account identifier such as anaccount username. In some embodiments, the credential includes secretknowledge such as a pin code, a passphrase, or a password. For example,the credential may include an account username or account identifier andsecret knowledge specific to the account such as a pin code, passphrase,or password. In some embodiments, the credential is an encrypted tokenor challenge response. For example, the credential may be a valueprovided by the server that has been encrypted by the device usingeither a secret key shared by both the server and the device or using anasymmetrical key. In some embodiments, the initial authenticationrequest includes the credential. In some embodiments, the initialauthentication request does not include the credential, and the deviceprovides the credential in a subsequent message, e.g., as part of asequence or in response to a server challenge. In some embodiments, theinitial authentication request includes location data. In someembodiments, the initial authentication request does not include thelocation data, and the device provides the location data in a subsequentmessage, e.g., as part of a sequence or in response to a serverchallenge.

At stage 316, the authentication server 160 receives location data fromthe device via the network. The location data may be, for example,included in the authentication request received at stage 310. In someembodiments, the initial authentication request includes location data.In some embodiments, the initial authentication request does not includethe location data, and the device provides the location data in asubsequent message, e.g., as part of a sequence or in response to aserver challenge. The location data may include, for example, a latitudeand longitude pair (e.g., as obtained by the device from a GNSS receiversuch as a GPS receiver). The location data may include measurements fromsensors built into the device, e.g., barometric readings. The locationdata may include network identifiers such as the network addressassigned to the device and/or identifiers for the provider network 104_(a). The location data may include timestamp information. In someembodiments, the location data is extracted by the server from theauthentication request, e.g., parsing network address information fromthe request. In some embodiments, the location of an access point orradio antenna for the provider network 104 _(a) is known to theauthentication server 160 and the ability of the device to communicatevia the provider network 104 _(a) is evidence of its location. In someembodiments, the device is in proximity to a second device such as ashort-range radio beacon 180. Examples of a suitable beacon 180 include,but are not limited to, an NFC tag or RFID tag, an RFID reader, theAPPLE IBEACON, GOOGLE EDDYSTONE, QUALCOMM GIMBAL, PHILLIPS VISUAL LIGHTCOMMUNICATIONS (“VLC”). In some such embodiments, the location of theshort-range radio beacon 180 is known to the authentication server 160and the ability of the device to communicate with the beacon 180 isevidence of its proximity thereto.

At stage 330, the authentication server 160 retrieves an authenticationpolicy corresponding to the device, the authentication policy specifyinga location parameter. The authentication server 160 may retrieve theauthentication policy from a data storage system 166, as shown in FIG.2A. The authentication server 160 may retrieve the authentication policyfrom a local cache. In some embodiments, the authentication server 160retrieves the authentication policy from a data storage system 166 andkeeps a cache or recently retrieved policies. In some embodiments, theauthentication policy is specific to the device (or type of device)tendering the request. The authentication server 160 may perform adatabase query seeking an authentication policy for authenticatingrequests from devices of the device type. For example, the policy forauthenticating requests originating from a multi-purpose device such asa personal computer, tablet, or smartphone may be different from thepolicy for authenticating requests originating from a single (orlimited) purpose device such as an IoT sensor or monitor. In someembodiments, the policy may include variables dependent on an accountidentified in the credentials. For example, the policy may specify howthe device should proof its location, and also specify acceptablelocations for authentication of a particular account identifier.

In some embodiments, a policy may be tailored to the capabilities of theorigination device. For example, the policy may require asatellite-based location (e.g., a latitude/longitude pair) from a deviceequipped with a GNSS receiver (such as a GPS receiver), but not requirea satellite-based location from a device not equipped with a GNSSreceiver. In some embodiments, the policy may have alternativerequirements, or fallback requirements. For example, a device equippedwith a GNSS receiver might not be able to receive adequate satellitesignals when used inside, and the policy may account for this byrequiring that the device be participating in a particular local-areanetwork (“LAN”) when GNSS signals are unavailable. Likewise, the policymay require that a device with an RFID reader report a value from anear-by RFID tag, or that a device with an NFC reader report a valuefrom a near-by NFC tag. For example, a tag may have a unique value or IDand the device may be required to report the ID to the authenticationserver 160.

In some embodiments, an authentication policy may include frequency orrecency requirements. For example, the authentication policy may mandatethat a device equipped with a GNSS receiver may only use the fallback“inside” evidence if the same device has recently providedlatitude/longitude in a previous authentication attempt (e.g., withinthe preceding hour, within the preceding day or twenty-four hours,within the preceding week, month, year, etc.).

In some embodiments, an authentication policy may require multiple formsof location evidence. For example, a policy may require that the deviceprovide both a satellite-based location and be connected to a networkvia an access point associated with the location. As another example,the policy may require that the device provide a satellite-basedlocation within a certain range, and provide an ID from a near-byshort-range radio device (e.g., an NFC tag or RFID tag or BLUETOOTHbeacon) and that the device has network access via a particular wirelessaccess point named in the policy.

In some embodiments, the location data is encrypted. For example, insome embodiments, the client device 120 obtains an encrypted token froma second device (e.g., a short-range radio beacon 180) and provides theauthentication server 160 with the encrypted token as evidence of itsproximity to the second device. In some embodiments, the second deviceis equipped with a network connection and receives the token from theauthentication server 160, e.g., as a one-time use challenge.

At stage 370, the authentication server 160 resolves the authenticationrequest using the credential and the location data pursuant to theauthentication policy. In some embodiments, the authentication server160 deems the request authentic if the credential is authentic and thelocation data evidences that the device is in a particular location asrequired by the authentication policy. In some embodiments, the devicemust be within a geographic zone specified by the policy. For example,the policy may specify a zone by boundaries, by distance from a centerpoint, or by other means. In some embodiments, the device must be withina threshold distance of a specified location. In some embodiments, thedevice must be on a particular network, or accessing a particularnetwork via a particular access point or antenna. In some embodiments,the device must be in proximity to another device. In some embodiments,the authentication policy may mandate that the device satisfy multipleconditions, e.g., participating in a particular network and being inproximity to another device. In some embodiments, additionalauthentication factors may be used. In some embodiments, an authenticcredential may be rejected if the device doesn't satisfy the locationpolicy. In some embodiments, the authentication server 160 need notconsider the credential unless the device satisfies the location policy.

At stage 390, the authentication server 160 returns results of theauthentication resolution, e.g., authenticating or rejecting the requestreceived in stage 310. In some embodiments, the authentication server160 only responds to the requesting device if the request issuccessfully authenticated. In some embodiments, the authenticationserver 160 notifies the requesting device that the authenticationrequest was rejected. In some embodiments, if the authentication requestwas rejected, the authentication server 160 solicits additionalinformation from the device, e.g., requesting specific location data ora revised credential. In some embodiments, the authentication server 160provides, to the device, a description of at least some portion of theauthentication policy. For example, the authentication server 160 mayrequest that the device provide one or more forms of location evidencefrom a list of acceptable forms of location evidence. If moreinformation is requests, the method 300 may effectively resemble amethod of authenticating a request based on a location with at least onerequest for location data, e.g., as described in reference to FIG. 3B.

FIG. 3B is a flowchart for an example method 320 of authenticating arequest based on a location with at least one request for location data.As described above in reference to FIG. 2B, in some embodiments, theclient device 120 submits an authentication request that includes nolocation evidence at all, or includes insufficient evidence for aparticular location authentication policy. An authentication server 160may receive an authentication request from such a device and process therequest as shown in FIG. 3B. In brief overview, at stage 312, theauthentication server 160 receives the authentication request from thedevice via a network, the authentication request including at least acredential. At stage 332, the authentication server 160 retrieves anauthentication policy corresponding to the device, the authenticationpolicy specifying a location parameter. At stage 350, the authenticationserver 160 sends a location-evidence request to the device based on thelocation parameter specified by the authentication policy. At stage 360,the authentication server 160 receives location data from the device viathe network responsive to the location-evidence request. In someinstances, the device may be unable to comply with the location-evidencerequest and stages 332, 350, and 360 may be iterated for one or morefallback policies; this situation is described in more detail inreference to FIG. 4. Still referring to the method 320 illustrated inFIG. 3B, at stage 380, the authentication server 160 resolves theauthentication request using the credential and the location datapursuant to the authentication policy. At stage 392, the authenticationserver 160 returns results of the authentication resolution, e.g.,authenticating or rejecting the request received in stage 312.

Referring to FIG. 3B in more detail, in the example method 320, anauthentication server 160 receives an authentication request from adevice at stage 312. The device may be, for example, a client device 120as depicted in FIG. 1A. The request from the device may be, for example,part of the exchange 220 depicted in FIG. 2B. The device may beparticipating in (or situated in) a first network (e.g., the providernetwork 104 _(a) depicted in FIG. 1A) and the authentication server 160may be participating in (or situated in) a second network (e.g., theproduction network 104 _(b) depicted in FIG. 1A). The types or forms ofrequest received in stage 312 may be similar to, or equivalent to, thetypes or forms of request described above in reference to stage 310 fromFIG. 3A. For example, the request received in stage 312 includes acredential. In some embodiments, the credential includes an accountidentifier such as an account username. In some embodiments, thecredential includes secret knowledge such as a pin code, a passphrase,or a password. For example, the credential may include an accountusername or account identifier and secret knowledge specific to theaccount such as a pin code, passphrase, or password. In someembodiments, the credential is an encrypted token or challenge response.For example, the credential may be a value provided by the server thathas been encrypted by the device using either a secret key shared byboth the server and the device or using an asymmetrical key. In someembodiments, the initial authentication request includes the credential.In some embodiments, the initial authentication request does not includethe credential, and the device provides the credential in a subsequentmessage, e.g., as part of a sequence or in response to a serverchallenge. In some embodiments, the request received in stage 312explicitly or implicitly identifies the device, or type of device,submitting the request. For example, the request may include a deviceidentifier or information corresponding to a device type.

At stage 332, the authentication server 160 retrieves an authenticationpolicy corresponding to the device, the authentication policy specifyinga location parameter. In some embodiments, the authentication policy issimilar to, or equivalent to, one of the authentication policiesdescribed above in reference to stage 330 from FIG. 3A. In someembodiments, the authentication server 160 identifies a device type forthe device submitting the request, from information included in theauthentication request received in stage 312, and performs a databasequery (or cache lookup) to identify one or more authentication policiescorresponding to the identified device type. As described above, someauthentication policies may be tailored to the specific capabilities orfunctionalities of specific types of devices. In some embodiments, theauthentication policy may indicate how much information can be sent tothe device in a location-evidence request.

At stage 350, the authentication server 160 sends a location-evidencerequest to the device based on the location parameter specified by theauthentication policy. The authentication server 160 generates and sendsa request for proof of the device's location. For example, theauthentication server 160 may determine from the authentication policythat the device has (or should have) a GNSS receiver and send the devicea request for its current satellite-based location. In some instances,the request could be satisfied with a latitude longitude pair. In someembodiments, the request may indicate that the device should provide thelatitude longitude location and additional data detailing how it wasdetermined, e.g., providing a count of the number of GNSS satellitesused, identifiers for the GNSS satellites used, timestamps in receivedsatellite signals, etc.

At stage 360, the authentication server 160 receives location data fromthe device via the network responsive to the location-evidence request.That is, the device receives the location-evidence request transmittedin stage 350 and attempts to comply by providing location data receivedby the authentication server 160 at stage 360. In some embodiments, theauthentication server 160 may receive the requested location evidence.In some embodiments, the authentication server 160 may receive less-thanall of the requested data, and the authentication server 160 determineswhether the tendered data is sufficient in accordance with the policy.For example, the authentication policy may allow for alternative formsof location evidence and the device might provide one or more of thealternatives. In some embodiments, if the authentication server 160 doesnot receive the expected location evidence, it identifies an acceptablealternative (e.g., with another look-up as described in reference tostage 332) and sends another location-evidence request (e.g., asdescribed in reference to stage 350). In some embodiments, the devicesubmits an explicit request for an alternative option and theauthentication server 160, receiving the explicit request, responds withan alternative.

At stage 380, the authentication server 160 resolves the authenticationrequest using the credential and the location data pursuant to theauthentication policy. In some embodiments, the resolving theauthentication request at stage 380 is similar to, or equivalent to,resolving the authentication request as described above in reference tostage 370 from FIG. 3A. In some embodiments, in stage 380, theauthentication server 160 may determine that additional information isneeded and may submit additional “challenge” requests to the device,e.g., by returning to stage 332 or stage 350.

At stage 392, the authentication server 160 returns results of theauthentication resolution, e.g., authenticating or rejecting the requestreceived in stage 312. In some embodiments, returning the results atstage 392 is similar to, or equivalent to, returning the results asdescribed above in reference to stage 390 from FIG. 3A.

In some embodiments, the authentication server 160, having authenticateda request from a device, may then determine if the authenticated requestis authorized. That is, authentication determines the authenticity of arequest, e.g., verifying that the source of the request is authentic.However, the source of the request might lack authority to complete therequest. For example, the request may require certain privileges orpermissions that might (or might not) have been granted to therequestor.

FIG. 4 is a flowchart for an example method 400 of authenticating arequest based on a location and determining whether an authenticatedrequest is authorized. In brief overview, at stage 405, anauthentication server 160 receives a request from a device via anetwork. At stage 410 the authentication server 160 receives acredential from the device and at stage 416 the authentication server160 receives location data from the device. In some instances, therequest received at stage 405 may include the credential and/or thelocation data. In some instances, the authentication server 160 mayinitially receive the credential but no location data. At stage 420, theauthentication server 160 retrieves an authentication policycorresponding to the device, the authentication policy specifying alocation parameter. At stage 430, the authentication server 160determines whether the location data received from the device wassufficient, or if additional location data should be requested. If moredata is needed, then at stage 440, the authentication server 160 sends alocation request to the device and, at stage 416, receives location datafrom the device. If the authentication server 160 has received thenecessary data, then at stage 450 the authentication server 160determines whether the location data and the credential satisfy theauthentication policy. In some embodiments, the authentication policymay allow for alternative location data. In such embodiments, if theauthentication server 160 determines at stage 450 that the policy hasnot yet been satisfied, then at stage 470 the authentication server 160determines whether there is an alternative authentication policyavailable and, if necessary, returns to stage 420 to retrieve thealternative authentication policy. (In some embodiments, the alternativemay already be loaded and, as indicated by arrow 460, the authenticationserver 160 may simply return to stage 430 to determine if more locationdata is needed.) If the authentication server 160 determines at stage350 that the request is authentic, then the authentication server 160(or another server such as an authorization server) determines at stage480 wither the authenticated credential is sufficient to authorize therequest. If so, then at stage 490, the server authorizes the request.However, if the request fails at stage 450, or if there is noalternative policy at stage 470, or if the authenticated credential isnot authorized for the request at stage 480, then at stage 495 therequest is refused.

Referring to FIG. 4 in more detail, at stage 405, an authenticationserver 160 receives a request from a device via a network. The receivedrequest may be an explicit authentication request, e.g., a log-inrequest or session initiation request. The received request may be arequest that needs to be authenticated, e.g., a data request. Thereceived request may be a request to report data. The received requestmay be part of a transaction, a data exchange, or a session. In someembodiments, the received request conforms to a custom protocol. In someembodiments, the received request conforms to a standardized protocol.The request may include origination information such as a deviceidentifier (e.g., a media access control (“MAC”) identifier), a networkaddress (e.g., an IPv4 or IPv6 address), a software name, a softwareversion (e.g., a browser version), and so forth. The request may includeinformation identifying the type of device originating the request. Forexample, the request may explicitly state that the origination device isa particular make and model. In some embodiments, the authenticationserver 160 may determine the type of the device from the request, e.g.,based on the MAC identifier, the software version, or othercharacteristics of the request. In some embodiments, the requestreceived in stage 405 includes a credential and/or location data. Insome embodiments, the request includes a token. In some embodiments therequest is similar to, or equivalent to, the requests described above inreference to stage 310 of the method 300 in FIG. 3A and/or in referenceto stage 312 of the method 320 in FIG. 3B.

At stage 410 the authentication server 160 receives a credential fromthe device and at stage 416 the authentication server 160 receiveslocation data from the device. In some instances, the request receivedat stage 405 may include the credential and/or the location data. Insome instances, the authentication server 160 may initially receive thecredential but no location data. Receiving credentials and location datais described above, in reference to FIG. 3A and FIG. 3B.

At stage 420, the authentication server 160 retrieves an authenticationpolicy corresponding to the device, the authentication policy specifyinga location parameter. In some embodiments, retrieving the authenticationpolicy is similar to, or equivalent to, the retrievals described abovein reference to stage 330 in FIG. 3A and stage 332 in FIG. 3B. In someembodiments, stage 420 may be repeated iteratively, e.g., progressivelyidentifying fallback policies when a device is unable to comply with apolicy. For example, in a first iteration, a device with a GNSS receivermay be required to provide satellite-based location data; however, thedevice might not be able to comply (e.g., because it is inside), and theauthentication server 160 may look-up a fallback policy, e.g., arequirement that the device be participating on a network 104 _(a) at anacceptable indoor location.

At stage 430, the authentication server 160 determines whether thelocation data received from the device was sufficient, or if additionallocation data should be requested. That is, the device may havesubmitted location data received at stage 416. For example, the devicemay have submitted network identifiers in an initial request. In thisexample, if the network identifiers are sufficient to satisfy thepolicy, then no further location data is needed. However, if the policyrequired, for example, satellite-based location data, then additionalinformation might be needed from the device. If more data is needed,then at stage 440, the authentication server 160 sends a locationrequest to the device and, at stage 416, receives location data from thedevice. This is described above in reference to stage 350 and stage 360of the method 320 illustrated in FIG. 3B.

If the authentication server 160 determines at stage 430 that is hasreceived the necessary location data, then at stage 450 theauthentication server 160 determines whether the location data and thecredential satisfy the authentication policy. In some embodiments, theauthentication policy may allow for alternative location data. In suchembodiments, if the authentication server 160 determines at stage 450that the policy has not yet been satisfied, then at stage 470 theauthentication server 160 determines whether there is an alternativeauthentication policy available and, if necessary, returns to stage 420to retrieve the alternative authentication policy. (In some embodiments,the alternative may already be loaded and, as indicated by arrow 460,the authentication server 160 may simply return to stage 430 todetermine if more location data is needed.)

If the authentication server 160 determines at stage 350 that therequest is authentic, then the authentication server 160 (or anotherserver such as an authorization server) determines at stage 480 whetherthe authenticated credential is sufficient to authorize the request.

If the authentication server 160 determines at stage 380 that theauthenticated credential is sufficient to authorize the request, then atstage 490, the server authorizes the request. In some embodiments, therequest is to initiate a session and, at stage 490, the authenticationserver 160 authorizes the session to proceed. In some embodiments, therequest is to retrieve a resource and, at stage 490, the authenticationserver 160 authorizes a server (e.g., a server 150) to provide theresource responsive to the request. In some embodiments, the request isrecord data and, at stage 490, the authentication server 160 authorizesa server (e.g., a server 150) to accept and record the data.

If the request fails to be authenticated at stage 450, or if there is noalternative policy at stage 470, or if the authenticated credential isnot authorized for the request at stage 480, then at stage 495 therequest is refused. In some embodiments, the authentication server 160refuses the request by sending an explicit rejection message to therequesting device. In some embodiments, the authentication server 160refuses the request by dropping (or otherwise ignoring) the request fromthe device. In some embodiments, the authentication server 160 refusesthe request by terminating a session with the requesting device. In someembodiments, the authentication server 160 caches identifiers for therequesting device and refuses to accept further messages or requestsfrom the device.

FIG. 5 is a flowchart for an example method 500 of submitting a requestfor authentication. The example method 500 is from the perspective of aclient device 120, e.g., engaging in the interaction illustrated in FIG.2B. In broad overview of the method 500, at stage 510, the client device120 transmits an authentication request to a server and receives, atstage 520, from the server, a location-evidence request. At stage 530,the client device 120 identifies location data sufficient to satisfy thelocation-evidence request and at stage 540 transmits, to the server, theidentified location data to satisfy the location-evidence request. Theclient device 120, may then receive some indication of authentication.The authentication may be used by the client device 120 to submitauthenticated requests. For example, at stage 550, the client device 120transmits an authorization request to the server based on theauthentication.

The systems and methods described may be used in a variety ofembodiments. For example, and without limitation:

In at least one aspect, the above describes a method for authentication.The method includes receiving, by a server in a first network, anauthentication request from a device in a second network, theauthentication request including a first credential. The method includesretrieving, by the server, from a database storing authenticationpolicies, an authentication policy corresponding to the device, theretrieved authentication policy specifying a location parameter. Themethod includes receiving, by the server, location data from the device.The method includes resolving the authentication request using the firstcredential and the received location data pursuant to the retrievedauthentication policy.

In some embodiments of the method, the location parameter specifies thatthe device should provide a latitude and a longitude. In someembodiments of the method, the location parameter specifies a maximumdistance from a latitude and a longitude. In some embodiments of themethod, the location parameter specifies includes a networkparticipation requirement, e.g., satisfied by the second network.

Some embodiments of the method include receiving, by the server from thedevice, a location of the device from a satellite-based positioningsystem, determining a distance from the location of the device to thespecified latitude and longitude, comparing the determined distance to arange threshold, and resolving the authentication request based on thecomparison of the distance to the range threshold. In some embodiments,the device must be within the threshold distance for the request to beauthenticated.

Some embodiments of the method include receiving, by the server from thedevice, location proof data from a beacon proximate to the device,wherein the beacon is at a location known to the server. In some suchembodiments, the location proof data is received by the device from thebeacon via a short-range radio-frequency communication. In someembodiments, the location proof data is received by the device from thebeacon via one of: BLUETOOTH, Near-Field Communication (“NFC”), orradio-frequency identification technology (“RFID”). In some embodiments,the method includes receiving, by the server from the device, locationproof data that the device received from a second device proximate tothe device, wherein the second device is in communication with theserver and is separately authenticated by the server.

In some embodiments of the method, the location parameter includes anetwork participation requirement satisfied by the second network. Somesuch embodiments of the method include receiving, by the server from thedevice, proof that the device is participating in the second network.

Some embodiments of the method include receiving, by the server, theauthentication request from the device via a cryptographically securedcommunication channel. Some embodiments of the method includetransmitting, by the server to the device and responsive to receivingthe authentication request, a secondary request soliciting the locationparameter.

In at least one aspect, these methods may be encoded ascomputer-readable instructions for execution by one or more processors.The computer-readable instructions can be encoded on non-transitorycomputer-readable media.

In at least one aspect, the above describes a system for authentication.The system includes a database storing authentication policies. Thesystem includes an authentication server in communication with thedatabase, the authentication server situated in a first network. Theauthentication server includes at least one processor and is configuredto receive an authentication request from a device in a second network,the authentication request including a first credential. Theauthentication server is configured to retrieve, from the databasestoring authentication policies, an authentication policy correspondingto the device, the retrieved authentication policy specifying a locationparameter. The authentication server is configured to receive locationdata from the device and resolve the authentication request using thefirst credential and the received location data pursuant to theretrieved authentication policy.

In some embodiments of the system, the location parameter specifies thatthe device should provide a latitude and a longitude. In someembodiments of the system, the location parameter specifies a maximumdistance from a latitude and a longitude. In some embodiments of thesystem, the location parameter specifies includes a networkparticipation requirement, e.g., satisfied by the second network.

In some embodiments of the system, the authentication server isconfigured to receive, from the device, a location of the device from asatellite-based positioning system, determine a distance from thelocation of the device to the specified latitude and longitude, comparethe determined distance to a range threshold, and resolve theauthentication request based on the comparison of the distance to therange threshold. In some embodiments, the device must be within thethreshold distance for the request to be authenticated.

In some embodiments of the system, the authentication server isconfigured to receive, from the device, location proof data from abeacon proximate to the device, wherein the beacon is at a locationknown to the server. In some such embodiments, the location proof datais received by the device from the beacon via a short-rangeradio-frequency communication. In some embodiments, the location proofdata is received by the device from the beacon via one of: BLUETOOTH,Near-Field Communication (“NFC”), or radio-frequency identificationtechnology (“RFID”). In some embodiments of the system, theauthentication server is configured to receive, from the device,location proof data that the device received from a second deviceproximate to the device, wherein the second device is in communicationwith the server and is separately authenticated by the server.

In some embodiments of the system, the location parameter includes anetwork participation requirement satisfied by the second network. Insome such embodiments of the system, the authentication server isconfigured to receive, from the device, proof that the device isparticipating in the second network.

In some embodiments of the system, the authentication server isconfigured to receive the authentication request from the device via acryptographically secured communication channel. In some embodiments ofthe system, the authentication server is configured to transmit, to thedevice and responsive to receiving the authentication request, asecondary request soliciting the location parameter.

In some embodiments of the system, one or more processors in theauthentication server are configured to execute instructions encoded onnon-transitory computer-readable media.

Various elements, which are described herein in the context of one ormore embodiments, may be provided separately or in any suitablesubcombination. For example, the processes described herein may beimplemented in hardware, software, or a combination thereof. Further,the processes described herein are not limited to the specificembodiments described. For example, the processes described herein arenot limited to the specific processing order described herein and,rather, process blocks may be re-ordered, combined, removed, orperformed in parallel or in serial, as necessary, to achieve the resultsset forth herein.

It will be further understood that various changes in the details,materials, and arrangements of the parts that have been described andillustrated herein may be made by those skilled in the art withoutdeparting from the scope of the following claims.

We claim:
 1. A method of authentication, the method comprising:receiving, by a server in a first network, an authentication requestfrom a device in a second network different from the first network, theauthentication request including a first credential and a type ofdevice; identifying, by the server, using the authentication request,the type of device corresponding to the device from a plurality of typesof devices; determining, by the server from a plurality of types oflocators, a type of locator supported by the device based at least onthe type of device; using, by the server, the type of locator determinedto be supported by the device to select an authentication policy from adatabase maintaining a plurality of authentication policiescorresponding to the plurality of types of locators, each authenticationpolicy of the plurality of authentication policies specifying arespective type of locator to be used for a corresponding type of deviceand a location identifier defined by the respective type of locator fromwhich the authentication request is to originate in order toauthenticate the device to the first network from the second network;transmitting, by the server to the device, a location-evidence requestspecifying the type of locator to be used in accordance with theauthentication policy to authenticate the device, receipt of thelocation-evidence request causing the client to identify location datadefined by the type of locator; receiving, by the server, the locationdata defined by the type of locator from the device responsive to thelocation-evidence request; and resolving, by the server, theauthentication request using the first credential and a comparisonbetween the location data from the client and the location identifierspecified by the authentication policy.
 2. The method of claim 1,wherein the plurality of types of devices includes at least one of asensor or a monitor and wherein the plurality of types of locatorsincludes a satellite-based positioning system, a network access point,and a beacon.
 3. The method of claim 1, comprising: receiving, by theserver from the device, a location of the device from a satellite-basedpositioning system; determining a distance from the location of thedevice to the specified latitude and longitude; comparing the determineddistance to a range threshold; and resolving the authentication requestbased on the comparison of the distance to the range threshold.
 4. Themethod of claim 1, comprising receiving, by the server from the device,location proof data from a beacon proximate to the device, wherein thebeacon is at a location known to the server.
 5. The method of claim 4,wherein the location proof data is received by the device from thebeacon via a short-range radio-frequency communication.
 6. The method ofclaim 4, further comprising receiving, by the server from the device,location proof data from a second device proximate to the device,wherein the second device is in communication with the server and isseparately authenticated by the server.
 7. The method of claim 1,wherein the location parameter includes a network participationrequirement satisfied by the second network.
 8. The method of claim 7,comprising receiving, by the server from the device, proof that thedevice is participating in the second network.
 9. The method of claim 1,comprising receiving, by the server, the authentication request from thedevice via a cryptographically secured communication channel.
 10. Themethod of claim 1, comprising transmitting, by the server to the deviceand responsive to receiving the authentication request, a secondaryrequest soliciting the location parameter.
 11. A system forauthentication, the system comprising: an authentication server, havingone or more hardware processors, the authentication server situated in afirst network and configured to: receive an authentication request froma device in a second network different from the first network, theauthentication request including a first credential and a type ofdevice; identify, using the authentication request, the type of devicecorresponding to the device from a plurality of types of devices;determine, from a plurality of types of locators, a type of locatorsupported by the device based at least on the type of device; use thetype of locator determined to be supported by the device to select anauthentication policy from a database maintaining a plurality ofauthentication policies corresponding to the plurality of types oflocators, each authentication policy of the plurality of authenticationpolicies specifying a respective type of locator to be used for acorresponding type of device and a location identifier defined by therespective type of locator from which the authentication request is tooriginate in order to authenticate the device to the first network fromthe second network; transmit, to the device, a location-evidence requestspecifying the type of locator to be used in accordance with theauthentication policy to authenticate the device, receipt of thelocation-evidence request causing the client to identify location datadefined by the type of locator; receive the location data defined by thetype of locator from the device responsive to the location-evidencerequest; and resolve the authentication request using the firstcredential and a comparison between the location data from the clientand the location identifier specified by the authentication policy. 12.The system of claim 11, wherein the plurality of types of devicesincludes at least one of a sensor or a monitor and wherein the pluralityof types of locators includes a satellite-based positioning system, anetwork access point, or a beacon.
 13. The system of claim 11, whereinthe authentication server is further configured to: receive, from thedevice, a location of the device from a satellite-based positioningsystem; determine a distance from the location of the device to thespecified latitude and longitude; compare the determined distance to arange threshold; and resolve the authentication request based on thecomparison of the distance to the range threshold.
 14. The system ofclaim 11, wherein the authentication server is further configured toreceive, from the device, location proof data from a beacon proximate tothe device, wherein the beacon is at a location known to the server. 15.The system of claim 14, wherein the location proof data is received bythe device from the beacon via a short-range radio-frequencycommunication.
 16. The system of claim 11, wherein the authenticationserver is further configured to receive, from the device, location proofdata from a second device proximate to the device, wherein the seconddevice is in communication with the server and is separatelyauthenticated by the server.
 17. The system of claim 11, wherein thelocation parameter includes a network participation requirementsatisfied by the second network.
 18. The system of claim 17, wherein theauthentication server is further configured to receive, from the device,proof that the device is participating in the second network.
 19. Thesystem of claim 11, wherein the authentication server is furtherconfigured to receive the authentication request from the device via acryptographically secured communication channel.
 20. The system of claim11, wherein the authentication server is further configured to transmit,to the device and responsive to receiving the authentication request, asecondary request soliciting the location parameter.